INFORMATION ASSURANCE AND CYBER SECURITY …

INFORMATION ASSURANCE AND CYBER SECURITY STRATEGIC PLAN

Table of Contents | 1

CONTENTS

1 EXECUTIVE SUMMARY................................................................................................................................................................................6 2 INTRODUCTION.............................................................................................................................................................................................8

2.1 Background...........................................................................................................................................................................................9 2.2 Current and Emerging Cyber Security Threats..............................................................................................................................9 2.2.1 Outlook for 2013-2015...........................................................................................................................................................10 2.2.2 Counterintelligence..............................................................................................................................................................10 2.3 Scope ........................................................................................................................................................................................ 10 2.4 Alignments ......................................................................................................................................................................................... 11 2.5 IA and CS Program Management Plan ....................................................................................................................................... 11 2.6 Purpose and Benefits ...................................................................................................................................................................... 11 3 FUNDAMENTALS OF INFORMATION ASSURANCE RISK MANAGEMENT ................................................................................. 13 3.1 Basic Elements of the Risk Assessment Process ......................................................................................................................16 3.2 Establish Relationships ....................................................................................................................................................................17 3.3 Develop Statewide Categorization Guidance .............................................................................................................................17 3.4 Identifying Types of Risks ................................................................................................................................................................17 3.5 Risk Categories ..................................................................................................................................................................................18 3.6 Current Risk Assessment Methodologies ...................................................................................................................................19 3.6.1 Qualitative Method ..............................................................................................................................................................19 3.6.2 Quantitative Method ............................................................................................................................................................20 3.7 Alternative Risk Assessment Methods ........................................................................................................................................21 3.7.1 Probabilistic Risk Assessment (PRA) ..............................................................................................................................21 3.7.2 Forensic Analysis of Risks in Enterprise Systems (FARES) ........................................................................................22 3.8 Challenges Assessing Information Security Risks ....................................................................................................................22 4 STRATEGIC INFORMATION ASSURANCE AND CYBER SECURITY GOALS AND OBJECTIVES ..............................................29 5 PERSPECTIVE ON INFORMATION ASSURANCE ................................................................................................................................32 5.1 Commitment ........................................................................................................................................................................................34 5.1.1 Department Heads and CIOs .............................................................................................................................................34 5.1.2 Directors, Chairs, Managers, and Other Supervisors...................................................................................................34 5.1.3 Chief Information Security Officer (CISO) .......................................................................................................................34 5.2 Communication Plan .........................................................................................................................................................................36 5.3 Resource Management ...................................................................................................................................................................36 5.4 Measuring Quality Effectiveness....................................................................................................................................................36 6 INFORMATION ASSURANCE AND CYBER SECURITY DIVISION ...................................................................................................36 6.1 Garner Respect and Resources .....................................................................................................................................................37 6.2 Demonstrate Top Management Support .....................................................................................................................................37 6.3 Establish Formal Communication Channels ................................................................................................................................37 6.4 Foster Coordinated Team Effort to Safeguard Information ......................................................................................................37 6.5 Enable Better Allocation of Organizational Resources ............................................................................................................38 6.6 Minimize Associated Costs for Security as a Service (SecaaS) ............................................................................................38

2 | Table of Contents

6.7 Reduce Single Point of Failure .......................................................................................................................................................38 6.8 Demonstrate Compliance ................................................................................................................................................................38 6.9 Increase Efficiency and Productivity ............................................................................................................................................39 6.10 Cyber Security Controls Branch (CSCB) ....................................................................................................................................40 6.11 Compliance, Auditing, and Policy Branch (CAPB) ...................................................................................................................40 6.12 Identity and Access Management Branch (IAMB) .................................................................................................................40 6.12.1 Public Key Infrastructure-Certificate Management Services (PKI-CMS) ............................................................41 6.13 Security Operations Monitoring Branch (SOMB) ....................................................................................................................42 6.13.1 Deliver Situational Awareness .......................................................................................................................................42 6.13.2 Meet Business Operations Requirements ...................................................................................................................42 6.13.3 Reduce Risk and Downtime .............................................................................................................................................42 6.13.4 Threat Control and Prevention ........................................................................................................................................43 6.13.5 Ease Administrative Overhead ........................................................................................................................................43 6.13.6 People and Responsibilities .............................................................................................................................................43 6.13.7 Escalation Path ...................................................................................................................................................................43 6.13.8 Audit and Compliance Support .......................................................................................................................................43 6.13.9 Incident Response and Recovery ..................................................................................................................................44 6.13.10 Meet Technical Operations Requirements ................................................................................................................44 6.13.11 Speed of Aggregation and Correlation .......................................................................................................................44 6.13.12 Device and System Coverage .......................................................................................................................................44 6.13.13 Proactive Infrastructure Monitoring ............................................................................................................................44 6.13.14 Uptime 24/7, 365 Days of the Year .................................................................................................................................44 6.13.15 Support for Federated and Distributed Environments .............................................................................................44 6.13.16 Forensic Capabilities .......................................................................................................................................................44 6.13.17 Intelligent Integration with SOCs and NOCs ..............................................................................................................45 6.13.18 The SOC in Action ............................................................................................................................................................45 6.13.19 Multiple Security Operations Centers .........................................................................................................................46 6.13.20 Privileged Access Monitoring .......................................................................................................................................46 6.14 State of Hawai`i Data Privacy Program .....................................................................................................................................46 7 STRATEGIC PLAN ASSUMPTIONS ........................................................................................................................................................47 8 CONSTRAINTS ............................................................................................................................................................................................48 9 INFORMATION ASSURANCE AND CYBER SECURITY INITIATIVES ..............................................................................................49 10 GUIDANCE FOR PROGRAM MANAGERS AND PROJECT LEADS .................................................................................................49 11 CONCLUDING REMARKS .......................................................................................................................................................................50 APPENDIX A - INFORMATION ASSURANCE AND CYBER SECURITY PROGRAM STRATEGIC INVESTMENT INITIATIVES ...................................................................................................................................................51 CONTRIBUTORS ............................................................................................................................................................................................51 SOURCES .........................................................................................................................................................................................................51

Table of Contents | 3

FIGURES

Figure 1 - CIO's IT/IRM Transformation Vision ........................................................................................................................................ 11 Figure 2 - Security Life Cycle ...................................................................................................................................................................... 14 Figure 3 - Risk Management Cycle ............................................................................................................................................................16 Figure 4 - Impact Assessment of Various Incidents to Enterprise ......................................................................................................20 Figure 5 - Elements of Information Assurance and Cyber Security (Parkerian Hexad) .................................................................24 Figure 6 - Security Implementation Strategy Based on Importance vs. Complexity ......................................................................25 Figure 7 - Information Assurance and Cyber Security Capability Maturity Model with Example Security Controls ..............28 Figure 8 - Information Assurance Branch Roadmap .............................................................................................................................29 Figure 9 - CIO Top Information Assurance and Cyber Security Concerns (2011) ............................................................................33 Figure 10 - Recommended Information Assurance and Cyber Security Division Organization ...................................................39 Figure 11 - Notional Shared Services Center Vision for Hawai`i ........................................................................................................46

4 | Table of Contents

TABLES

Table 1 - Security Controls Classes, Families, and Identifiers .............................................................................................................15 Table 2 - Identified Risks ..............................................................................................................................................................................18 Table 3 - Differences in Methodologies ....................................................................................................................................................19 Table 4- Impact/Likelihood of Impact to the Enterprise Matrix ...........................................................................................................19 Table 5 - Factors in Risk Analysis Equation ..............................................................................................................................................21 Table 6 - Example Risk Analysis Table .......................................................................................................................................................21 Table 7 - CISSP 10 Domains of Information Assurance ........................................................................................................................23 Table 8 - Categories of Security Controls Related to Information Assurance .................................................................................26 Table 9 - Maturity Levels of Security Controls Related to Information Assurance .........................................................................26 Table 10 - IA and CS Staff Distribution of Full-time Equivalents ..........................................................................................................26 Table 11 - Description of Investment Initiatives Tables .........................................................................................................................53

Table of Contents | 5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.